Dynamic routing over IPSec tunnels

travis.fleming · Dec 1, 2022, 3:31 PM

Hello,
We have a remote site that is a PaloAlto. That Palo has 2 internet connections, so we have established 2 IPSec tunnels between the Palo and our pfSense firewall (with 1 internet connection). We setup the Phase 2 on the pfsense as a routing vti.

My question is how do I get the traffic to to go over the secondary IPSec when the primary goes down? Currently I have a static route that sais if you are trying to get to the 10.10.240.0/21 subnet that lives at the Palo side, go down the ifSense IPSec gateway 1. When that IPSec tunnel goes down, I have to manually change the route and it works to send traffic over the other gateway.

How do I get this to work dynamically?

michmoor · Dec 1, 2022, 7:51 PM

@travis-fleming said in Dynamic routing over IPSec tunnels:

uestion is how do I get the traffic to to go over the secondary IPSec when the primary goes down? Currently I have a static route that sais if you are trying to get to the 10.10.240.0/21 subnet that lives at the Palo si

Use dynamic routing probably would be easier. OSPF you can set cost. BGP you can set local-pref.
Netgate has fantastic documentation on the different way of using dynamic routing.

JKnott · Dec 1, 2022, 8:43 PM

@michmoor

If there is a primary that is used most of the time and the secondary is a fallback, then he could set the metric for a connection. The available connection with the lowest metric wins. This is possible with regular interfaces, but I'm not sure about IPSec.

michmoor · Dec 1, 2022, 9:31 PM

@jknott How can he set the metric?
I think routed IPsec with dynamic routing (frr) in this case would be more flexible especially if there would be more networks that need to be routed to on either side in the future.

JKnott · Dec 1, 2022, 10:23 PM

@michmoor

How can he set the metric?

With interfaces, the ifconfig command. With IPSec I don't know. With OpenVPN, the metric is shown as 0, however, it can be changed with the route metric option.

travis.fleming · Dec 2, 2022, 2:08 PM

@michmoor Thank you. We were leaning toward this but wanted someone else to suggest it first. I think we will implement OSPF, it looks pretty simplistic!

stephenw10 · Dec 2, 2022, 3:57 PM

You can't route via a gateway group and you can't set a metric on a route directly so using dynamic routing, like OSPF, is usually how this is done.

You could just use policy routing if the PA can do some sort of reply-to to make sure replies come back over the same link. And if you only need to open connections toward the PA.

Steve